Worldwide infrastructure outages caused by DDoS attacks are continuing to be a growing threat to today’s organizations as attackers find new ways to bypass existing mitigation technologies. According to a recent report by Kaspersky, DDoS attacks in Q1 2018 were at an all-time high in terms of both volume and duration. In addition to these growing numbers of attacks, organizations are experiencing a shortage of experienced cybersecurity professionals, making it more difficult to effectively defend their infrastructure and quickly remediate such attacks.
How SOAR Tools Can Help Expedite DDoS Incident Response
Manual data collection is time-consuming and requires an individual to manually access each tool to get the specific information they require, then export the data and manually perform data correlation. Depending on the organization’s workflow, the information may also need to be added to the incident management ticketing system in order to be shared with other teams within the organization. This process requires a skillful analyst to spend a significant amount of time performing mundane and repetitive tasks which can easily be automated, greatly reducing their value to the organization.
A security orchestration, automation, and response (SOAR) platform, properly integrated into the security program, can help maximize the value of these skilled analysts. The IncMan SOAR platform from DFLabs allows security program administrators to create automated, conditional workflows to respond to incidents such as a DDoS attack though IncMan’s R3 Rapid Response Runbooks. These runbooks allow the automation of mundane, repetitive tasks, while IncMan’s Dual Mode Orchestration technology allows security program administrators to ensure that human intervention, oversight or approval is required when necessary. This allows security analysts to focus solely on the tasks which require human input, allowing organizations to maximize the efficiency of their security teams, as well as speed up the mean time to detection (MTTD) and mean time to resolution (MTTR).
IncMan SOAR is able to collect data from sources such as email, syslogs, database queries, as well as custom scripts and an assortment of bi-directional integrations with third-party solutions. With the right SOAR solution in place, it is possible to expedite data collection, collect threat intelligence and acquire forensic information from automatically triggered actions, notify the appropriate stakeholders and conduct supervised containment actions when appropriate. The use of the platform will heavily reduce the number of manual and mundane tasks that the analyst needs to perform, freeing up their time to complete more in-depth analysis and incident mitigation.
How Can Threat Intelligence Prevent DDoS Attacks?
A vast amount of threat data is being generated from a number of security tools and other data sources on an ongoing basis. It is critical that this information is accurately collected, stored and applied in order for the intelligence to be actionable and provide benefit to the organization.
Using the analogy of cooking, there is little value in having all of the ingredients for a recipe without the proper context regarding how each ingredient is used. Simply throwing all of the ingredients into a single pot will not create a culinary masterpiece and will not produce the desired results. The same concept applies to threat intelligence data. The vast amount of threat data is of little value to a security team without the proper context. The right SOAR platform should assist the security team in correlating this threat data, turning a list of ingredients into a proper dish, or threat data into actionable threat intelligence.
Accurately correlated threat intelligence can provide critical insight to inform decisions as well as to contain and mitigate present and future attacks. Intelligence data should be made available in multiple forms, including visualizations, to assist security analysts in correctly understanding the full context of the information. Correlation graphs and search capabilities can also be utilized to enable threat hunting, allowing security analysts to proactively seek out threats which may be looming or have gone undetected by automated detection technologies.
The Best Approach to Prevent DDoS Attacks
A layered approach of defense is the best method to prevent, or at the very least minimize the impact of a DDoS attack, while eliminating any single points of failure. Maintaining network baseline information, monitoring the network for any anomalies and ensuring all systems remain patched are all critical components of DDoS mitigation.
For critical systems which cannot tolerate any downtime, it is important to have a documented DDoS mitigation strategy in place. DDoS mitigation strategies may vary depending on the type of network being protected and the maximum tolerable downtime, however, may include high availability or redundant systems, backup connections or DDoS scrubbing services.
DDoS attacks represent a dominant threat and often target organizations that provide a service to a wide customer base, area or network in order to have the largest impact. DDoS attacks are also continuing to become more complex and larger in size, as recently seen in the attacks on GitHub in early March which generated 1.3 Tbs of traffic, shortly to be followed by another attack of 1.7 Tbs two weeks later.
Some organizations are now experiencing over 10,000 threat events weekly; an overwhelming number of events to be manually investigated and mitigated by incident responders. A SOAR solution will act as a force multiplier, enabling security teams to do more with fewer resources, and will help reduce the MTTD and MTTR, proactively helping to respond to future alerts and even preventing incidents from occurring in the first instance. Historical event and data correlation is critical and can be used to identify security gaps, harden networks and allow for early detection of potential security incidents, further increasing the ROI of a SOAR platform.